Bug 261738
| Summary: | HTTP Basic Auth in URL not used | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Janik Besendorf <janik> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | REOPENED | ||
| Severity: | Normal | CC: | annevk, ap, beidson, janik, karlcow, webkit-bug-importer, youennf |
| Priority: | P2 | Keywords: | BrowserCompat, InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Janik Besendorf
When navigation to a URL that includes HTTP Basic Auth login information in the format like USER:PASSWORD@example.com the part before the @ is ignored and a popup that asks for a username and a password is displayed
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
I think that this may be intentional, but cannot remember the details. Adding some people who may know.
Anne van Kesteren
Yeah, this would make it very easy to perform dictionary attacks or phish the end user in some way.
Various groups, including the HTTP WG, have been deprecating this format for HTTP URLs.
Janik Besendorf
Firefox and Chrome support this feature on mobile and Desktop. I don't see how this could be used for phishing. Could you elaborate on this? Could you send a link to the HTTP WG statement?
Anne van Kesteren
Thanks, I guess we should keep this open for now then. The phishing aspect for these URLs is mainly that you could put something before the `@` that might confuse the end user about where they are going.
It's deprecated for all URLs apparently: https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.1. https://url.spec.whatwg.org agrees with this though states it in a less obvious manner.
Radar WebKit Bug Importer
<rdar://problem/116052283>